Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Disconnected Log Collectors

Use the QRadar Log Source Management app to register or import Disconnected Log Collector instances that are installed in your environment. You can configure your log sources in the app, which is much faster than by using the Disconnected Log Collector's JSON config file.

Disconnected Log Collector sends events to a QRadar deployment by using the User Datagram Protocol (UDP) or by using Transport Layer Security over the Transmission Control Protocol (TLS over TCP). When Disconnected Log Collector uses TLS over TCP, it buffers incoming events during times when it’s disconnected from QRadar and sends them when the connection is restored. Buffer capacity can be configured, and is limited by the available memory and disk space.

Registering a Disconnected Log Collector

Use the QRadar Log Source Management app to register Disconnected Log Collector instances with your QRadar deployment.

  1. In the QRadar Log Source Management app, click the navigation menu icon and then click Disconnected Log Collectors >Register Disconnected Log Collector.

  2. On the Register a Disconnected Log Collector page, configure the parameters for your Disconnected Log Collector instance, and then click Register.

Importing a Disconnected Log Collector

Use the QRadar Log Source Management app to import an existing Disconnected Log Collector instance into your QRadar deployment.

When you import a Disconnected Log Collector instance into your QRadar deployment, you have access to the following features:

  • Domain Mapping: You can assign the Disconnected Log Collector instance to a domain. Any events that are forwarded to QRadar by this Disconnected Log Collector instance are associated with the assigned domain. You can only apply Domain Mapping for Disconnected Log Collector instances that forward events to QRadar through TLS over TCP communication.

  • Log Source Configuration Management: You can manage the log sources of the disconnected log collector with the QRadar Log Source Management app. This feature is only available with Disconnected Log Collector version 1.4 or later.

  1. In the QRadar Log Source Management app, click the navigation menu icon and then click Disconnected Log Collectors.

  2. Click Import Disconnected Log Collector >Upload Configuration.

  3. To import the configuration from the Disconnected Log Collector host, click Upload File.

  4. Choose your configuration, click Open, and then click Register Disconnected Log Collector.

  5. On the Register the Disconnected Log Collector page, configure the parameters, and click Import Log Sources.

  6. On the Import Log Sources page, select the appropriate import action for each imported protocol configuration.

  7. Click Finish.

Related Documentation